Explanatory Memorandum
(Circulated by authority of the Minister for Justice and Customs Senator the Honourable Chris Ellison)Schedule 3 - Financial Information Offences
Item 1 At the end of Chapter 10 of the Criminal Code
Schedule 3 of the Bill will insert new Part 10.8 - 'Financial information offences' - into Chapter 10 of the Criminal Code ('National Infrastructure').
In March 2004, the Standing Committee of Attorneys-General (SCAG) released the Model Criminal Code Officers' Committee (MCCOC) discussion paper on Credit Card Skimming Offences. The discussion paper identified a gap in federal, State and Territory criminal laws in their coverage of credit card skimming and included a model offence to address this gap. The model offence criminalises dishonestly obtaining or dealing in personal financial information without the consent of the person to whom the information relates.
These amendments will implement the model offence in the MCCOC discussion paper and will introduce other offences to target credit card skimming. Credit card skimming is the process by which legitimate credit card (and debit card) data is illicitly captured or copied, usually by electronic means. Credit card skimming frequently takes place through use of a skimming device - a device that will read and capture the data contained on the magnetic stripe of a credit or debit card, store that data and then allow it to be reproduced or access later. Skimming devices are closely related to, and in some cases adapted from, commercially available magnetic stripe readers which are used for a wide range of legitimate purposes.
While existing federal, State and Territory fraud and forgery laws cover many of the activities related to credit and debit card skimming, they do not comprehensively cover the act of skimming the data, possession of the skimmed data, or possession or importation of a skimming device.
These amendments are not limited to addressing credit card skimming activity. The proposed offences are directed at all dishonest dealings with personal financial information without the consent of the person to whom that information relates. For example, these amendments will also cover Internet banking fraud, addressing the situation where a person accesses a second person's Internet banking details without the consent of the second person (or uses a deception to obtain the second person's consent.)
The proposed offences are technologically neutral to ensure they remain relevant regardless of development in the devices and techniques used to capture (or 'skim') personal financial information. These offences are not limited to electronic skimming or skimming by some technological device, but cover other methods of illicitly obtaining credit or debit card details or other personal financial information (for example, from discarded bank statements or receipts).
Proposed section 480.1 Definitions
Proposed subsection 480.1(1) will define personal financial information to cover all information relating to a person that may be used (whether alone or in conjunction with other information) to access funds, credit or other financial benefits.
Adopting a definition of personal financial information which does not refer to technological devices or the physical credit or debit card will ensure that this offence will not be overtaken by developments in technology.
Personal financial information will extend beyond the physical credit and debit cards to include account numbers or credit card numbers which could be used, for example, to order goods over the telephone or to withdraw money over the counter at a bank from a savings account (in conjunction with falsifying a person's signature).
Personal financial information will also include any data captured from a credit or debit card. In addition, it will include a person's user identification name or number and password for access to Internet banking services.
Proposed subsection 480(1) will also clarify that dishonest has the meaning given by proposed section 480.2 The definition in proposed section 480.2 is identical to the definition of dishonest adopted in sections 130.3 and 130.4 of the Criminal Code for the purposes of the theft and fraud related offences in Chapter 7 of the Criminal Code . This provision will cover, for example, the scenario where a person acquires another person's password and user identification name for Internet banking (which would fall within the definition of personal financial information ) by sending an email request for the details which purports to be an email from the other person's bank.
Deception is defined broadly in proposed subsection 480.1(1) to mean an intentional or reckless deception, by words or other conduct, as to fact or as to law. Deception includes a deception as to the intentions of the person using the deception or any other person, and conduct by a person that causes a computer system or any machine to make a response that the person is not authorised to cause it to do. This definition is identical to the definition of deception adopted in section 133.1 of the Criminal Code for the purposes of the fraudulent conduct offences in Part 7.3 of the Criminal Code .
Adopting this definition of deception will ensure that the offences in proposed Part 10.8 of the Criminal Code cover the situation where the victim consented to his or her personal financial information being stored on a secure computer system and that information was obtained by a person who was unauthorised to have access to that computer system.
Proposed subsection 480(1) will also clarify that dishonesty has the meaning given by proposed section 480.2 This subsection will also define ADI, dealing and obtaining for the purposes of the financial information offences. The definitions of each of these terms are addressed below under proposed sections 480.3 and 480.4
Proposed subsection 480.1(3) will clarify that the financial information offences cover personal information relating to both an individual and a body corporate. It will also extend the coverage of the offences to the personal information of a dead person. For example, this offence would apply where a person, knowing of the death of a second person, intercepted the delivery of a debit card and password to the person, and subsequently used that card and password at an Automatic Teller Machine (ATM) to access funds in the deceased person's savings account.
Proposed section 480.2 Dishonesty
Proposed section 480.2 will define dishonest for the purposes of the financial information offences. The definition in proposed section 480.2 is identical to the definition of dishonest adopted in sections 130.3 and 130.4 of the Criminal Code for the purposes of the theft and fraud related offences in Chapter 7 of the Criminal Code . Dishonest means dishonest according to the standards of ordinary people and known by the defendant to be dishonest by the standards of ordinary people.
Proposed section 480.3 Constitutional application of this Part
Proposed section 480.3 will specify the Constitutional basis for the financial information offences. These offences will be supported by paragraph 51(xiii) (the banking power) and paragraph 51(xx) (the corporations power).
Proposed paragraph 480.3(a) will provide that Part 10.8 of the Criminal Code applies only to personal financial information to the extent that the funds concerned are deposited with, lent to or are otherwise to be provided or made available by, an ADI (authorised deposit-taking institution) or a constitutional corporation.
An ADI is defined in proposed subsection 480.1(1) as a corporation that is an ADI for the purposes of the Banking Act 1959 . Item 22 of Schedule 2 of the Bill will insert a definition of constitutional corporation into the Dictionary of the Criminal Code . Constitutional corporation will be defined as a corporation to which paragraph 51(xx) of the Constitution applies.
Similarly, proposed paragraph 480.3(b) will provide that Part 10.8 of the Criminal Code extends to personal financial information to the extend that the credit or other financial benefits concerned are provided, or made available, by an ADI or a constitutional corporation.
Proposed section 480.4 Dishonestly obtaining or dealing in personal financial information
Proposed section 480.4 will criminalise dishonestly obtaining, or dealing in, personal financial information without the consent of the person to whom the information relates.
Dealing in personal financial information is defined in proposed subsection 480.1(1) to include supplying or using personal financial information. Obtaining personal financial information is defined in proposed subsection 480.1(1) to include possessing or making personal financial information.
For the purposes of this offence, it does not matter whether the information is to be used to manufacture counterfeit credit cards, to obtain money from ATMs, to purchase goods over the phone or Internet or for any other fraudulent purpose. The details of the final use of the personal financial information do not change the nature of the act of dishonestly obtaining, or dealing in, that information without the consent of the person to whom it relates.
This offence will accommodate changes in technology as it focuses on criminalising the dishonest dealing in personal financial information and does not refer to the specific means by which that information is obtained.
In criminalising both obtaining and dealing in personal financial information without the consent of the person to whom it relates, this offence will address the situation where the victim consented to a first person obtaining his or her personal financial information but did not consent to the subsequent supply of that information by the first person to a second person.
A maximum penalty of 5 years imprisonment will apply to an offence against this section.
Proposed section 480.5 Possession or control of thing with intent to dishonestly obtain or deal in personal financial information
Proposed section 480.5 will make it an offence for a person to possess or control a thing with the intention that it be used either by the person or another person in committing an offence against proposed section 480.3, or to facilitate the commission of such an offence.
This offence will address a person's possession of a skimming device where the person has the intention that the device be used to dishonestly obtain or deal in the personal financial information without the consent of the person to whom the information relates. This offence will apply both where the person possesses the device intending to use the device himself or herself in committing, or to facilitate the commission, of an offence against proposed section 480.3 and where he or she intends that the device be used by another person for that purpose.
The adoption of the term 'thing', rather than 'skimming device', will ensure that this offence remains relevant regardless of developments in the equipment used to skim credit and debit card data.
A maximum penalty of 3 years imprisonment, a fine of 180 penalty units ($19,800), or both, will apply to an offence against this section.
Proposed section 480.6 Importation of thing with intent to dishonestly obtain or deal in personal financial information
Similarly, proposed section 480.6 will make it an offence to import a thing into Australia with the intention that the thing be used in committing an offence against proposed section 480.3 or to facilitate the commission of such an offence.
This offence will address a person's importation into Australia of a skimming device where the person has the intention that the device be used to dishonestly obtain or deal in the personal financial information without the consent of the person to whom the information relates.
This offence will apply both where the person imports the device intending to use the device himself or herself in committing, or to facilitate the commission, of an offence against proposed section 480.3 and where he or she intends that the device be used by another person for that purpose. For example, this offence would capture a person who organises the importation of skimming devices into Australia on behalf of, or in return for payment from, an organised criminal group but does not actively participate in, or direct, the use of those devices to skim data from credit and debit cards.
A maximum penalty of 3 years imprisonment, a fine of 180 penalty units ($19,800), or both, will apply to an offence against this section.